Accessing a usb-sys blocked and encrypted Qubes OS Partition

Qubes OS does consider all USB devices by default as potentially evil. So in case you are serious about USB-based attacks on your Qubes-OS environment, you might want to install an USB qube such as sys-usb. A more detailed explanation could be found here:

The connection of an untrusted USB device to dom0 is a security risk since dom0, like almost every OS, reads partition tables automatically and since the whole USB stack is put to work to parse the data presented by the USB device in order to determine if it is a USB mass storage device, to read its configuration, etc. This happens even if the drive is then assigned and mounted in another qube.

The concept of sys-usb is to act as a secure man-in-the-middle between your dom0 and your USB device so that in case of a compromise, only the sys-usb environment gets compromised. sys-firewall is executing a similar function but focused on the Internet instead of the USB device.

So further steps on how to install the sys-usb can be found here – I especially recommend to read the following section:

Warning USB keyboard cannot be used to type the disk passphrase if USB controllers were hidden from dom0. Before hiding USB controllers make sure your laptop keyboard is not internally connected via USB (by checking output of lsusbcommand) or that you have a PS/2 keyboard at hand (if using a desktop PC). Failure to do so will render your system unusable.

Bang! I skipped that part obviously and didn’t have a PS/2 keyboard at hand – bad choice – RTFM! next time. I was basically locked out of my system.

Below I want to provide a short workaround in case you still want to get access to your Qubes-based encrypted data immediately:

Download gparted or any other tool that allows you to boot a small linux via USB and boot it to get a shell

Now decrypt the LUKS partition of Qubes OS and assign it to a virtual device:sudo cryptsetup open /dev/sda$ qubes

You can now access your Quebos OS system files and also access the folder where the VMs are stored: cd /mnt/final/var/lib/qubes/appvms

There, you will find a list of all your VMs – just cd into the one where your assets are stored that you intend to extract. You will find different .img files and also a $VM-name.conf file which is not of interest. The private.img file is the one we intend to mount. file private.img will show you that in case of a standard fedora-25 appvm, the img consists of a ext4 filesystem which we now mount.

create mountpoint: mkdir /mnt/emails

mount private.img /mnt/emails/

Now it depends on what you intend to restore – for instance, if you want to access your old emails in Thunderbird, cd /mnt/emails/home/user/.thunderbird for instance

Now put in a second USB stick and mount it: mkdir /mnt/extern

mount /dev/$USB2 /mnt/extern/

Now copy the data to the external USB stick: cp -r $profile /mnt/extern/